By Sarah Telford
Lead, Centre for Humanitarian Data
There has been a lot of discussion lately about data protection and data privacy in humanitarian action. But these issues are not unique to our sector and have been gaining broader awareness due to data misuse by big-name technology companies in recent years. This has led to the so-called ‘techlash’: a backlash against technology and an erosion of user trust.
As is often said, the technical tools for managing data have evolved faster than the policy instruments that govern their use. It is easy enough to create a new database or data platform, but agreeing on a policy framework takes time and requires a different mix of skills (i.e., developers and data managers working with senior managers and lawyers).
I have seen this firsthand in both managing OCHA’s Humanitarian Data Exchange (HDX), which was launched in 2014, and overseeing the development of the OCHA Data Responsibility Guidelines to be released as a working draft this month. The increased use of HDX over the years simultaneously exposed a doctrine and capacity gap in the humanitarian sector. OCHA’s Centre for Humanitarian Data was created to help address this with new workstreams for Data Policy and Data Literacy.
Convening a conversation
This moment of peak interest in data policy represents an opportunity to move from high-level principles (such as those recently adopted by the UN Secretariat) to practical guidance for navigating an increasingly complex and opaque area of work. And given the interdependencies within the humanitarian sector, we need to do this together.
The Centre plans to convene a number of conversations on data responsibility in the coming months. We will facilitate two open calls in March on critical incident reporting and third-party data sharing agreements – issues that need deeper exploration. This will be followed by a face-to-face workshop on data responsibility at the Centre in The Hague in April.
We invite partners to join these conversations by signing up to the Centre’s Data Policy mailing list. We will also be soliciting feedback on the OCHA Data Responsibility Guidelines once they are released. And we will continue to be active participants in partner events and ongoing processes on the same subject.
In May, we will hold an event at Wilton Park in the UK on ‘Data responsibility in humanitarian action: from principle to practice’. It will bring together approximately 50 participants from the humanitarian community, private sector, academia, civil society, and government to explore questions related to the technological, policy, and procedural requirements for responsible data management and, relatedly, the mitigation of digital risk and management of critical incidents in crisis response.
Over the longer term, we plan to engage members of the IASC to develop operational guidance on responsible data use within the humanitarian sector. We hope this process will lead to the adoption of a joint statement on data responsibility by the IASC Principals.
OCHA’s work on data responsibility
OCHA’s role as a coordinator and data aggregator offers us a unique perspective into the multiple dataflows that exist within a crisis response and the many ways data is collected and processed. Although OCHA typically does not manage data about affected people, we risk being a passthrough for sensitive data – data that can cause harm to individuals, groups, or organizations if misused or combined with other data.
For HDX in particular, we do not allow the sharing of personal data through the platform. Our highest value is trust. The HDX team will always prioritize ensuring that no high-risk data is shared over driving growth in datasets or users. That is why we monitor every dataset added to the platform and flag sensitive data to our contributors. As the saying goes, trust is hard to gain and easy to lose.
The forthcoming OCHA Data Responsibility Guidelines will build on this trust by offering a set of key actions, outputs, and tools for data responsibility at each step in the data management process, from collecting and storing to disseminating and destroying. We want to work with partners to further align this guidance with what exists and to develop actionable dos and don’ts across these steps.
We will also make further progress on data responsibility through a new initiative that is being supported by ECHO, the Directorate-General for European Civil Protection and Humanitarian Aid Operations.
The initiative has three focus areas:
- The development and prototyping of secure technical infrastructure that will allow key partners to process sensitive data responsibly after it has been collected or as it is shared via HDX;
- The development of joint guidance notes on specific issues related to managing personal or sensitive data in humanitarian response; and
- The convening of a number of events focused on responsible data use with partners from academia, government, the private sector, and Inter-Agency Standing Committee (IASC) agencies.
We recently launched the initiative at Humanitarian Networks Partnership Week (HNPW) during an event on ‘Doing No Digital Harm’, along with partners from ECHO, ICRC, Sphere, and Yale University. The conversation between panelists and participants covered a range of important issues, including the need for critical incident reporting of data breaches, navigating third-party/private sector data agreements, and the application of International Humanitarian Law (IHL) in the digital space.
As OCHA’s Assistant-Secretary General (ASG) Ursula Mueller said in her closing remarks at the event, “In order to ‘do no harm,’ we must be able to properly navigate the technical and ethical issues involved with data about crisis-affected people – from names and locations to fingerprints and iris scans. When not handled responsibly, data can place already vulnerable people at greater risk of harm or exploitation.”
The Centre is committed to working with our partners to take this work forward in a way that ensures the continued trust of affected people, humanitarian partners, and the users of our technical platforms.